{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/reconnaissance/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AWS S3","AWS CloudTrail"],"_cs_severities":["low"],"_cs_tags":["aws","s3","cloudtrail","discovery","enumeration","reconnaissance"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis threat brief covers suspicious activity related to the rapid enumeration of AWS S3 buckets. The activity is characterized by an AWS principal invoking read-only S3 control-plane APIs from the same source IP address within a short timeframe. This pattern is often associated with reconnaissance efforts, security scanning tools, or post-compromise enumeration activities. The behavior is similar to that observed with CSPM tools and by threat actors like Team PCP. The detection specifically excludes AWS service principals and requires programmatic-style sessions (i.e., not Management Console credentials). It focuses on scenarios where resource and identity fields are populated to avoid skewed results from null values. The detection threshold is set to greater than 15 distinct \u003ccode\u003eaws.cloudtrail.resources.arn\u003c/code\u003e values within a 10-second window.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS environment using compromised credentials or through an exposed IAM role. (T1530)\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to AWS using the obtained credentials, creating a programmatic session.\u003c/li\u003e\n\u003cli\u003eThe attacker issues a series of \u003ccode\u003eGetBucketAcl\u003c/code\u003e, \u003ccode\u003eGetBucketPublicAccessBlock\u003c/code\u003e, \u003ccode\u003eGetBucketPolicy\u003c/code\u003e, \u003ccode\u003eGetBucketPolicyStatus\u003c/code\u003e, and \u003ccode\u003eGetBucketVersioning\u003c/code\u003e API calls to S3.\u003c/li\u003e\n\u003cli\u003eThese API calls are directed towards multiple distinct S3 buckets within a short timeframe (10 seconds).\u003c/li\u003e\n\u003cli\u003eThe attacker collects information about the bucket\u0026rsquo;s access control lists (ACLs), public access blocks, policies, versioning status, and other metadata. (T1526, T1580, T1619)\u003c/li\u003e\n\u003cli\u003eThe collected information is analyzed to identify publicly accessible buckets, misconfigurations, or sensitive data storage locations.\u003c/li\u003e\n\u003cli\u003eThe attacker uses identified vulnerabilities to exfiltrate data.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts lateral movement within the AWS environment, leveraging the discovered information to compromise other resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful enumeration of S3 buckets can lead to the discovery of sensitive data, misconfigurations, and publicly accessible resources. This can result in data breaches, unauthorized access, and further compromise of the AWS environment. The enumeration allows an attacker to map out the S3 storage landscape, identifying targets for data exfiltration or privilege escalation. The rapid nature of the enumeration suggests automated scanning or reconnaissance, potentially indicating a larger attack campaign.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect rapid S3 bucket enumeration activity based on AWS CloudTrail logs, adjusting the threshold of 15 distinct buckets to suit your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the source IP address (\u003ccode\u003esource.ip\u003c/code\u003e), AWS principal ARN (\u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e), and the list of accessed buckets (\u003ccode\u003eaws.cloudtrail.resources.arn\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eReview IAM policies associated with the identified principal to ensure least privilege for S3 read APIs.\u003c/li\u003e\n\u003cli\u003eMonitor CloudTrail logs for related events, such as \u003ccode\u003eListBuckets\u003c/code\u003e, \u003ccode\u003eGetObject\u003c/code\u003e, \u003ccode\u003ePutBucketPolicy\u003c/code\u003e, \u003ccode\u003eAssumeRole\u003c/code\u003e, or IAM changes, occurring within ±30 minutes of the detected enumeration activity.\u003c/li\u003e\n\u003cli\u003eImplement network-level restrictions on the source IP address if it is not authorized to perform S3 enumeration.\u003c/li\u003e\n\u003cli\u003eDocument approved scanning accounts and add user agent filters to the provided Sigma rule to reduce noise from those identities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T19:43:38Z","date_published":"2026-05-01T19:43:38Z","id":"/briefs/2024-01-aws-s3-bucket-discovery/","summary":"An AWS principal rapidly enumerates S3 bucket posture using read-only APIs, indicative of reconnaissance, scanning, or post-compromise activity.","title":"Rapid Enumeration of AWS S3 Buckets","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-s3-bucket-discovery/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["cloud","aws","s3","reconnaissance"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis threat brief details detection of rapid enumeration of AWS S3 bucket configurations. The activity is characterized by an AWS principal invoking read-only S3 control-plane APIs across numerous buckets within a short timeframe. This pattern is consistent with automated reconnaissance, security scanning, or post-compromise enumeration. The activity is detected by monitoring AWS CloudTrail logs for specific API calls such as \u003ccode\u003eGetBucketAcl\u003c/code\u003e, \u003ccode\u003eGetBucketPublicAccessBlock\u003c/code\u003e, \u003ccode\u003eGetBucketPolicy\u003c/code\u003e, \u003ccode\u003eGetBucketPolicyStatus\u003c/code\u003e, and \u003ccode\u003eGetBucketVersioning\u003c/code\u003e. The detection logic excludes AWS service principals and sessions using Management Console credentials to reduce false positives. This activity is relevant for defenders as it can signal early-stage reconnaissance by threat actors like Team PCP, or unauthorized data discovery within the AWS environment. The rule uses a threshold of 15 distinct buckets accessed within 10 seconds to identify suspicious behavior.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to AWS credentials, possibly through compromised credentials or misconfigured IAM roles.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the acquired credentials to authenticate to the AWS environment.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a script or tool that calls multiple S3 APIs (e.g., \u003ccode\u003eGetBucketAcl\u003c/code\u003e, \u003ccode\u003eGetBucketPolicy\u003c/code\u003e) to gather information about S3 buckets.\u003c/li\u003e\n\u003cli\u003eThe tool iterates through a list of buckets, querying the configuration of each.\u003c/li\u003e\n\u003cli\u003eThe attacker collects the responses from the S3 API calls, mapping out bucket names, permissions, and access control lists.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the collected data to identify potentially sensitive data or misconfigured buckets.\u003c/li\u003e\n\u003cli\u003eBased on the findings, the attacker may proceed to exfiltrate data from accessible buckets (T1530).\u003c/li\u003e\n\u003cli\u003eThe attacker may also attempt to modify bucket policies or access controls to gain further access or persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful reconnaissance of S3 bucket configurations allows attackers to identify vulnerable buckets, potentially leading to data breaches or unauthorized access to sensitive information. The source material does not provide specific victim counts or sectors. However, the impact can range from exposure of confidential data to full compromise of the AWS environment, depending on the level of access gained and the sensitivity of the data stored in the targeted buckets. Identifying the activity early can prevent further exploitation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect rapid S3 bucket posture API calls (see: \u0026ldquo;AWS S3 Rapid Bucket Enumeration\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eReview IAM policies and enforce least privilege on S3 read APIs to limit the scope of potential reconnaissance activities.\u003c/li\u003e\n\u003cli\u003eMonitor CloudTrail logs for the same \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e and \u003ccode\u003esource.ip\u003c/code\u003e within approximately ±30 minutes for follow-on patterns such as \u003ccode\u003eListBuckets\u003c/code\u003e, \u003ccode\u003eGetObject\u003c/code\u003e, \u003ccode\u003ePutBucketPolicy\u003c/code\u003e, or \u003ccode\u003eAssumeRole\u003c/code\u003e activities (see Overview).\u003c/li\u003e\n\u003cli\u003eRotate or disable keys for the affected identity, revoke active role sessions where possible, and restrict the source IP at the network layer if it is not authorized (see Overview).\u003c/li\u003e\n\u003cli\u003eWhitelist approved scanning accounts and tune the Sigma rule to reduce noise from those identities (see Overview).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-aws-s3-reconnaissance/","summary":"An AWS principal rapidly enumerates S3 bucket configurations using read-only APIs, potentially indicating reconnaissance activity by security scanners, CSPM tools, or malicious actors performing post-compromise enumeration.","title":"AWS S3 Rapid Bucket Posture API Calls Indicate Reconnaissance","url":"https://feed.craftedsignal.io/briefs/2026-04-aws-s3-reconnaissance/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["honeypot","telnet","reconnaissance","intrusion","opencanary"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenCanary is a low-interaction honeypot designed to detect attackers on a network. This detection focuses on Telnet login attempts, a protocol rarely used legitimately in modern networks and thus a strong indicator of malicious activity. When an attacker attempts to log into a Telnet service on an OpenCanary node, it triggers this alert. This provides early warning of potential intrusion attempts, reconnaissance activities, or lateral movement by attackers who have already gained a foothold. The detection is based on OpenCanary\u0026rsquo;s logging functionality which records such login attempts, generating a log event with code 6001. This event signifies an attacker interacting with the Telnet service, which is unlikely in a well-secured and properly configured environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker scans the network for open ports, identifying a Telnet service.\u003c/li\u003e\n\u003cli\u003eAttacker attempts to connect to the Telnet service on the OpenCanary node.\u003c/li\u003e\n\u003cli\u003eAttacker enters credentials (username and password) in an attempt to authenticate.\u003c/li\u003e\n\u003cli\u003eOpenCanary logs the Telnet login attempt, generating an event with logtype 6001.\u003c/li\u003e\n\u003cli\u003eThe detection rule triggers based on the OpenCanary log event.\u003c/li\u003e\n\u003cli\u003eSecurity team investigates the alert to determine the source and intent of the Telnet login attempt.\u003c/li\u003e\n\u003cli\u003eIf the attempt is malicious, the security team takes steps to block the attacker and prevent further access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful Telnet login could provide an attacker with unauthorized access to the network or specific systems. While Telnet itself may not grant immediate access to sensitive data, it can be used as a stepping stone for further exploitation and lateral movement. The compromise of even a single system can lead to data breaches, ransomware deployment, and significant disruption of services. OpenCanary serves as an early warning system, allowing defenders to identify and respond to such attempts before significant damage occurs.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eOpenCanary - Telnet Login Attempt\u003c/code\u003e to your SIEM to detect unauthorized Telnet login attempts.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eOpenCanary - Telnet Login Attempt\u003c/code\u003e rule to determine the source and intent of the connection.\u003c/li\u003e\n\u003cli\u003eReview the OpenCanary configuration to ensure it is properly deployed and monitoring the appropriate network segments.\u003c/li\u003e\n\u003cli\u003eConsider disabling the Telnet service on all legitimate systems on the network to reduce the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-10-26T14:30:00Z","date_published":"2024-10-26T14:30:00Z","id":"/briefs/2024-10-opencanary-telnet-login/","summary":"The OpenCanary Telnet Login Attempt detection identifies unauthorized login attempts to a Telnet service monitored by an OpenCanary node, indicating potential reconnaissance or intrusion attempts targeting the network.","title":"OpenCanary Telnet Login Attempt","url":"https://feed.craftedsignal.io/briefs/2024-10-opencanary-telnet-login/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["OpenCanary"],"_cs_severities":["high"],"_cs_tags":["honeypot","ssh","reconnaissance"],"_cs_type":"advisory","_cs_vendors":["Thinkst"],"content_html":"\u003cp\u003eThe OpenCanary SSH Connection Attempt alert signifies that an SSH service on a deployed OpenCanary node has received a connection attempt. OpenCanary is a low-interaction honeypot designed to detect reconnaissance and lateral movement activities within a network. This event, logged as logtype 4000 by default, suggests that an attacker is actively scanning for or attempting to exploit SSH services. This alert is crucial for defenders because OpenCanary nodes are deliberately placed to attract malicious activity, meaning any interaction is highly suspicious. The alert helps identify potential breaches early, allowing security teams to respond quickly. The configuration of services monitored by OpenCanary is detailed in the project\u0026rsquo;s documentation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Reconnaissance: The attacker conducts network scanning using tools like Nmap or Masscan to identify open ports and services, including SSH (port 22).\u003c/li\u003e\n\u003cli\u003eTarget Identification: The attacker identifies the OpenCanary node, mistaking it for a legitimate SSH server, due to its exposed SSH port.\u003c/li\u003e\n\u003cli\u003eConnection Attempt: The attacker attempts to establish an SSH connection to the OpenCanary node using a tool like \u003ccode\u003essh\u003c/code\u003e or a custom script.\u003c/li\u003e\n\u003cli\u003eAuthentication Probe: The attacker might attempt to authenticate using default credentials, common usernames and passwords, or brute-force techniques.\u003c/li\u003e\n\u003cli\u003eCredential Compromise (Simulated): The OpenCanary node logs the failed or successful (simulated) login attempt, triggering the alert. OpenCanary may simulate a successful login for further interaction logging.\u003c/li\u003e\n\u003cli\u003eLateral Movement (Attempted): If the attacker believes they have successfully authenticated, they may attempt lateral movement to other systems within the network.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation (Attempted): The attacker could attempt to escalate privileges on the \u0026ldquo;compromised\u0026rdquo; system (OpenCanary) to gain further access.\u003c/li\u003e\n\u003cli\u003eData Exfiltration/System Damage (Prevented): Because it\u0026rsquo;s a honeypot, OpenCanary prevents actual data exfiltration or system damage but logs all attempted actions for analysis.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eAn SSH connection attempt on an OpenCanary node, while not directly causing damage, indicates active reconnaissance or attempted unauthorized access within the network. The number of alerts generated can highlight the frequency of malicious scans targeting SSH services. Successful exploitation (simulated on the honeypot) could lead to lateral movement, privilege escalation, and data exfiltration if the attacker were to compromise a real system. This activity is valuable for understanding attacker behavior and improving overall security posture.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect SSH connection attempts to OpenCanary nodes, focusing on \u003ccode\u003elogtype: 4000\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview OpenCanary logs in conjunction with other security logs (firewall, endpoint) to correlate the SSH attempts with other suspicious activities.\u003c/li\u003e\n\u003cli\u003eInvestigate the source IP addresses from which SSH connection attempts originate to identify potential threat actors.\u003c/li\u003e\n\u003cli\u003eConsult the OpenCanary documentation to ensure proper configuration of the SSH service and logging capabilities.\u003c/li\u003e\n\u003cli\u003eUse network segmentation to limit the potential impact of a successful breach, even if only simulated on the OpenCanary node.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-08T14:30:00Z","date_published":"2024-05-08T14:30:00Z","id":"/briefs/2024-05-opencanary-ssh-attempt/","summary":"An SSH connection attempt to an OpenCanary node indicates a potential adversary probing for vulnerable services or attempting unauthorized access within a network.","title":"OpenCanary SSH Connection Attempt","url":"https://feed.craftedsignal.io/briefs/2024-05-opencanary-ssh-attempt/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["kubernetes","discovery","reconnaissance"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAfter gaining initial access to a Kubernetes cluster, adversaries often conduct reconnaissance to understand the environment before further actions like exfiltration or privilege escalation. This involves mapping the cluster\u0026rsquo;s structure, identifying workloads, and understanding role-based access control (RBAC) configurations. This reconnaissance is achieved by rapidly querying various API resources, including namespaces, pods, roles, ClusterRoles, ConfigMaps, and ServiceAccounts. The activity is characterized by a burst of \u003ccode\u003eget\u003c/code\u003e and \u003ccode\u003elist\u003c/code\u003e requests across multiple resource types within a short timeframe, which is atypical for normal cluster operations and may indicate malicious probing or permission reconnaissance. This detection focuses on identifying such cross-resource bursts from a single client to distinguish reconnaissance activities from routine automation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the Kubernetes cluster using compromised credentials or by exploiting a vulnerability. (T1190, T1566)\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Kubernetes API server using the compromised credentials or a valid service account token.\u003c/li\u003e\n\u003cli\u003eThe attacker begins enumerating namespaces to understand the logical divisions within the cluster using \u003ccode\u003ekubectl get namespaces\u003c/code\u003e or equivalent API calls. (T1068)\u003c/li\u003e\n\u003cli\u003eThe attacker queries pods within the discovered namespaces to identify running workloads and potential targets. (T1068)\u003c/li\u003e\n\u003cli\u003eThe attacker lists roles and cluster roles to understand the existing RBAC configurations and identify potential privilege escalation opportunities. (T1069)\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves service accounts to identify applications and their associated permissions, potentially discovering more attack vectors.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the collected information to identify vulnerable services, misconfigured permissions, or sensitive data.\u003c/li\u003e\n\u003cli\u003eBased on the reconnaissance, the attacker proceeds with lateral movement, privilege escalation, data exfiltration, or other malicious objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful reconnaissance allows attackers to gain a comprehensive understanding of the Kubernetes environment, facilitating further malicious activities such as lateral movement, privilege escalation, and data exfiltration. This can lead to the compromise of sensitive data, disruption of services, and unauthorized access to critical resources. The impact is magnified in clusters with weak RBAC policies or exposed sensitive information.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Kubernetes Multi-Resource Discovery\u0026rdquo; to your SIEM and tune for your environment to detect reconnaissance activities.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rule by pivoting on \u003ccode\u003euser.name\u003c/code\u003e, \u003ccode\u003esource.ip\u003c/code\u003e, and \u003ccode\u003euser_agent.original\u003c/code\u003e to determine the sequence of API calls.\u003c/li\u003e\n\u003cli\u003eCorrelate the identified activity with RBAC configurations to identify potential violations of the principle of least privilege as described in the rule\u0026rsquo;s Triage and Analysis section.\u003c/li\u003e\n\u003cli\u003eBaseline automation by allowlisting known service accounts or source networks that legitimately span multiple resource types in a short window, as described in the rule\u0026rsquo;s False Positive Analysis section.\u003c/li\u003e\n\u003cli\u003eReview and tighten RBAC configurations to minimize the impact of compromised credentials as described in the Response and Remediation section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:22:00Z","date_published":"2024-01-03T14:22:00Z","id":"/briefs/2024-01-kubernetes-multi-resource-discovery/","summary":"Adversaries may perform reconnaissance in a Kubernetes environment by rapidly querying multiple resource types to map the environment and identify potential privilege escalation paths.","title":"Kubernetes Multi-Resource Discovery Reconnaissance","url":"https://feed.craftedsignal.io/briefs/2024-01-kubernetes-multi-resource-discovery/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["reconnaissance","evasion","command-line"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may attempt to obscure their activities by using obfuscated IP addresses within command-line tools. This is done to bypass simple pattern matching or detection rules that rely on standard IP address formats. The Sigma rule \u0026ldquo;Obfuscated IP Via CLI\u0026rdquo; published on 2022-08-03 and modified on 2026-03-16, focuses on detecting this behavior by identifying command lines containing hexadecimal, octal, or other encoded representations of IP addresses used with \u003ccode\u003eping.exe\u003c/code\u003e or \u003ccode\u003earp.exe\u003c/code\u003e. This activity can indicate reconnaissance, command and control communication, or lateral movement attempts where attackers are trying to hide the true destination of their network traffic.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker opens a command prompt (cmd.exe) or PowerShell.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003eping.exe\u003c/code\u003e or \u003ccode\u003earp.exe\u003c/code\u003e to test network connectivity.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a command line that includes an obfuscated IP address (e.g., hexadecimal, octal). For example: \u003ccode\u003eping 0121.04.0174.012\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eThe command is executed, attempting to resolve or connect to the obfuscated IP address.\u003c/li\u003e\n\u003cli\u003eIf the obfuscation bypasses security controls, the tool resolves the address.\u003c/li\u003e\n\u003cli\u003eThe attacker gathers information about the target system (if ping is successful) or network.\u003c/li\u003e\n\u003cli\u003eThe attacker uses this information for further exploitation or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of obfuscated IPs can lead to undetected reconnaissance, lateral movement, and data exfiltration. By hiding the true destination of network traffic, attackers can bypass traditional security measures and gain a foothold within the network. The impact includes potential data breaches, system compromise, and disruption of services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Obfuscated IP Via CLI\u0026rdquo; Sigma rule to your SIEM to detect command-line execution with obfuscated IP addresses.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging for \u003ccode\u003eping.exe\u003c/code\u003e and \u003ccode\u003earp.exe\u003c/code\u003e to ensure the Sigma rule has the necessary data.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine if the activity is malicious.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the scope of potential lateral movement.\u003c/li\u003e\n\u003cli\u003eMonitor command-line activity for unusual patterns or arguments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-obfuscated-ip-cli/","summary":"The use of command-line tools like ping.exe or arp.exe with obfuscated IP addresses (hex, octal, etc.) in the command line can indicate reconnaissance activity or attempts to evade security controls by masking the true destination.","title":"Detection of Obfuscated IP Addresses via Command Line Tools","url":"https://feed.craftedsignal.io/briefs/2024-01-03-obfuscated-ip-cli/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend"],"_cs_severities":["low"],"_cs_tags":["active-directory","discovery","reconnaissance","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eADExplorer is an advanced Active Directory (AD) viewer and editor, it includes the ability to save snapshots of an AD database for offline viewing and comparisons. Adversaries may abuse this utility to perform domain reconnaissance, gather sensitive information about the AD structure, user accounts, and group memberships. The execution of ADExplorer is a potential indicator of malicious activity, especially when observed in environments where its use is not typical or when executed by unauthorized users. This activity can lead to further exploitation, such as privilege escalation and lateral movement within the network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means (e.g., compromised credentials, phishing).\u003c/li\u003e\n\u003cli\u003eThe attacker downloads the ADExplorer utility (ADExplorer.exe) to the compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker executes ADExplorer.exe to begin enumeration of the Active Directory environment.\u003c/li\u003e\n\u003cli\u003eADExplorer interacts with the Active Directory domain controllers, querying information about users, groups, computers, and organizational units.\u003c/li\u003e\n\u003cli\u003eThe attacker may use ADExplorer to save snapshots of the AD database for offline analysis.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the gathered information to identify privileged accounts, critical assets, and potential vulnerabilities within the AD environment.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the discovered information to plan further attacks, such as lateral movement or privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of ADExplorer by malicious actors can lead to the discovery of sensitive information about the Active Directory environment. This information can be leveraged to facilitate lateral movement, privilege escalation, and data exfiltration. While the initial risk score is low, the reconnaissance activity enables follow-on attacks that can have severe consequences, potentially leading to full domain compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect ADExplorer Execution via Process Name\u003c/code\u003e to detect the execution of ADExplorer based on process name.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect ADExplorer Execution via Original File Name\u003c/code\u003e to detect the execution of ADExplorer based on the process\u0026rsquo;s original file name.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events on Windows endpoints for the execution of ADExplorer.exe or processes with an original file name of \u0026ldquo;AdExp\u0026rdquo; to detect potential reconnaissance activities.\u003c/li\u003e\n\u003cli\u003eInvestigate and validate any execution of ADExplorer by non-administrator accounts.\u003c/li\u003e\n\u003cli\u003eReview ADExplorer use and restrict its usage to authorized personnel.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-adexplorer-execution/","summary":"Detects the execution of ADExplorer, a tool used for Active Directory viewing and editing, which can be abused by adversaries for domain reconnaissance and creating offline snapshots of the AD database.","title":"Active Directory Discovery via ADExplorer Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-adexplorer-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["powershell","wmi","reconnaissance","lateral_movement","windows"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis brief focuses on detecting reconnaissance activities performed through PowerShell using WMI queries. Adversaries often use WMI to gather detailed information about a compromised system, including hardware specifications, operating system details, and installed software. This information can be used to plan further attacks, such as privilege escalation or lateral movement. This detection leverages PowerShell Script Block Logging (EventCode 4104) to identify specific WMI queries that target system information classes like \u003ccode\u003eWin32_Bios\u003c/code\u003e, \u003ccode\u003eWin32_OperatingSystem\u003c/code\u003e, \u003ccode\u003eWin32_Processor\u003c/code\u003e and others. Identifying this behavior early can help defenders disrupt attack chains before significant damage occurs. The analytic is based on the detection logic from the Splunk Security Content project as of April 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system, potentially through phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a PowerShell script, either directly or via a command-line interpreter like \u003ccode\u003ecmd.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script uses the \u003ccode\u003eGet-WmiObject\u003c/code\u003e cmdlet or a direct WMI query with \u003ccode\u003eSELECT\u003c/code\u003e to query system information.\u003c/li\u003e\n\u003cli\u003eSpecific WMI classes are targeted, including \u003ccode\u003eWin32_Bios\u003c/code\u003e, \u003ccode\u003eWin32_OperatingSystem\u003c/code\u003e, \u003ccode\u003eWin32_Processor\u003c/code\u003e, \u003ccode\u003eWin32_ComputerSystem\u003c/code\u003e, \u003ccode\u003eWin32_PnPEntity\u003c/code\u003e, \u003ccode\u003eWin32_ShadowCopy\u003c/code\u003e, \u003ccode\u003eWin32_DiskDrive\u003c/code\u003e, \u003ccode\u003eWin32_PhysicalMemory\u003c/code\u003e, \u003ccode\u003eWin32_BaseBoard\u003c/code\u003e, and \u003ccode\u003eWin32_DisplayConfiguration\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe script collects the data returned by the WMI queries.\u003c/li\u003e\n\u003cli\u003eThe gathered information is used to profile the system and identify potential vulnerabilities or weaknesses.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the gathered information to plan subsequent stages of the attack, like lateral movement or privilege escalation.\u003c/li\u003e\n\u003cli\u003eThe attacker executes further commands based on the gathered information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful reconnaissance can provide attackers with a comprehensive understanding of the target environment, enabling them to tailor their attacks for maximum impact. This can lead to successful privilege escalation, lateral movement, data exfiltration, or ransomware deployment. Organizations that fail to detect and prevent reconnaissance activities are at a higher risk of experiencing significant data breaches and financial losses. The Maze ransomware group, Industroyer2, and LockBit ransomware have been observed using similar reconnaissance techniques.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging on all endpoints to capture the necessary data for detection (\u003ca href=\"https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.1/add-other-data-to-splunk-uba/configure-powershell-logging-to-see-powershell-anomalies-in-splunk-uba.\"\u003ePowerShell Script Block Logging 4104\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious WMI Reconnaissance via PowerShell\u003c/code\u003e to identify PowerShell scripts querying sensitive WMI classes.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the user and process context to determine potential malicious intent.\u003c/li\u003e\n\u003cli\u003eReview and tune the \u003ccode\u003eRecon Using WMI Class\u003c/code\u003e detection filter (\u003ccode\u003erecon_using_wmi_class_filter\u003c/code\u003e) to reduce false positives in your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-wmi-reconnaissance/","summary":"Detection of suspicious PowerShell activity using Windows Management Instrumentation (WMI) to gather system information, indicative of reconnaissance efforts by adversaries potentially leading to further exploitation or lateral movement.","title":"Suspicious PowerShell Reconnaissance via WMI Queries","url":"https://feed.craftedsignal.io/briefs/2024-01-wmi-reconnaissance/"},{"_cs_actors":["FIN6"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["low"],"_cs_tags":["adfind","active-directory","reconnaissance","windows"],"_cs_type":"threat","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eAdFind is a command-line tool used to retrieve information from Active Directory. While it has legitimate uses for network administrators, threat actors frequently leverage it for post-exploitation Active Directory reconnaissance. The tool allows for quick scoping of AD person/computer objects and understanding subnets and domain information. AdFind has been observed in campaigns associated with various threat actors, including Trickbot, Ryuk, Maze, and FIN6. This reconnaissance activity is typically conducted after initial compromise to gather information for lateral movement and privilege escalation. The detection of AdFind execution, especially with specific command-line arguments, can indicate malicious activity within a compromised environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to a Windows host, possibly through exploitation of a vulnerability or compromised credentials.\u003c/li\u003e\n\u003cli\u003eTool Transfer: The attacker transfers AdFind.exe to the compromised host.\u003c/li\u003e\n\u003cli\u003eExecution: The attacker executes AdFind.exe from the command line or via a script.\u003c/li\u003e\n\u003cli\u003eDiscovery: AdFind is used to enumerate Active Directory objects such as computers (\u003ccode\u003eobjectcategory=computer\u003c/code\u003e), users (\u003ccode\u003eobjectcategory=person\u003c/code\u003e), subnets (\u003ccode\u003eobjectcategory=subnet\u003c/code\u003e), and groups (\u003ccode\u003eobjectcategory=group\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eInformation Gathering: The attacker gathers information about domain controllers using commands such as \u003ccode\u003edclist\u003c/code\u003e or \u003ccode\u003edcmodes\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The gathered information is used to identify potential targets for privilege escalation, such as accounts with weak passwords or misconfigured permissions.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker uses the gathered information to move laterally to other systems within the network.\u003c/li\u003e\n\u003cli\u003eObjective Completion: The attacker achieves their final objective, such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful reconnaissance using AdFind can provide attackers with a comprehensive understanding of the Active Directory environment, facilitating lateral movement, privilege escalation, and ultimately, the exfiltration of sensitive data or deployment of ransomware. While the use of AdFind itself may not be directly damaging, it is a strong indicator of malicious activity within a compromised network. The impact can range from data breaches and financial losses to reputational damage and disruption of business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AdFind Command Activity\u0026rdquo; to your SIEM to detect the execution of AdFind with suspicious command-line arguments.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to provide the necessary data for the Sigma rule to function effectively (reference the Sysmon setup documentation).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u0026ldquo;AdFind Command Activity\u0026rdquo; Sigma rule to determine the scope and impact of the potential compromise.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for AdFind-related activity, focusing on command-line arguments used to query Active Directory objects (reference the \u003ccode\u003equery\u003c/code\u003e field in the original rule).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the scope of potential lateral movement following a successful compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-adfind-reconnaissance/","summary":"The execution of AdFind.exe, an Active Directory query tool, is often used by threat actors for post-exploitation Active Directory reconnaissance, as observed in campaigns involving Trickbot, Ryuk, Maze, and FIN6.","title":"AdFind Tool Used for Active Directory Reconnaissance","url":"https://feed.craftedsignal.io/briefs/2024-01-adfind-reconnaissance/"}],"language":"en","title":"CraftedSignal Threat Feed — Reconnaissance","version":"https://jsonfeed.org/version/1.1"}